OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
[Full-disclosure] Re: iDEFENSE Security Advisory 08.09.05: AWStats

From: iDFEENSE Labs (labs-no-replyidefense.com)
Date: Thu Aug 11 2005 - 11:55:43 CDT


Martin,

Apologies for the confusion, and thank you for bringing this to our
attention. The version information was slightly off in our original
advisory. The vulnerability does affect AWStats 6.4 and prior, and the flaw
has been addressed in AWStats 6.5.

The patch was introduced inadvertantly when all eval() calls were replaced
with sane function calls in the cvs commit shown here:

http://cvs.sourceforge.net/viewcvs.py/awstats/awstats/wwwroot/cgi-bin/awstat
s.pl?r1=1.819&r2=1.820&diff_format=u

The patched function in AWStats 6.5 is at lines 4925 - 4936 of the
awstats.pl script:

sub ShowURLInfo {
        my $url=shift;
        my $nompage=CleanFromCSSA($url);

        # Call to plugins' function ShowInfoURL
        foreach my $pluginname (keys %{$PluginsLoaded{'ShowInfoURL'}}) {
# my $function="ShowInfoURL_$pluginname('$url')";
# eval("$function");
                my $function="ShowInfoURL_$pluginname";
                &$function($url);
        }

The public advisory on our website has been updated and can be accessed at
the following url:
http://www.idefense.com/application/poi/display?id=290&type=vulnerabilities&
flashstatus=true

iDEFENSE Labs

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/